Can we reuse the same server certificate for both IIS and Tomcat Servers?
20 June, 2013
Hi,
1. Recently we had implemented Yellowfin with https support. We have an IISServer running on a machine and have been issued with a Server Certificate but when I try to reuse the same certificate for the Tomcat server, it is not able to recognize this certificate.Can we reuse the same certificate for IIS and Tomcat servers?
2. Hence I am making use of a TomcatConnector to connect the IIS Server. And I need to know how to make use of the same TomcatConnector to make sure that I can connect to both http and https?
Request a quick reply.
Thanks,
Nikhil
1. Recently we had implemented Yellowfin with https support. We have an IISServer running on a machine and have been issued with a Server Certificate but when I try to reuse the same certificate for the Tomcat server, it is not able to recognize this certificate.Can we reuse the same certificate for IIS and Tomcat servers?
2. Hence I am making use of a TomcatConnector to connect the IIS Server. And I need to know how to make use of the same TomcatConnector to make sure that I can connect to both http and https?
Request a quick reply.
Thanks,
Nikhil
Hi Nikhil,
This configuration is outside the scope of what we at Yellowfin can support.
This sounds like a general Tomcat issue, so you may have to google this further.
However, I will try to answer these questions as best as possible.
1. Sharing Certificates between IIS and Tomcat.
I don't think this is the best way to implement security in IIS/Tomcat, however you should be able to share certificates. I would assume you just to convert the certificate into a format that Tomcat will recognise. You will need to import your certificate into a Java keystore and then reference this from tomcat's server.xml file.
Using Mod/JK is a better way to implement security if you are using a webserver.
2. Using the TomcatConnector to implement both HTTP and HTTPS.
When you refer to TomcatConnector, I assume you are referring to the Mod/JK connector.
The Mod/JK connector uses another protocol, called AJP to communicate between a webserver (IIS or Apache) and tomcat. AJP does not implement security.
IIS and Apache can be configured to accept connections on HTTP and HTTPS. In the case of HTTPS, the webserver would usually provide the encryption and load the required content from Tomcat via AJP.
In this case, you only need to enable AJP in Tomcat, and don't need to configure HTTPS at the application server level. Usually AJP and HTTP will be enabled on local network addresses, and external access will be via the webserver through the AJP connection.
Hope that makes sense.
Thanks,
Peter
This configuration is outside the scope of what we at Yellowfin can support.
This sounds like a general Tomcat issue, so you may have to google this further.
However, I will try to answer these questions as best as possible.
1. Sharing Certificates between IIS and Tomcat.
I don't think this is the best way to implement security in IIS/Tomcat, however you should be able to share certificates. I would assume you just to convert the certificate into a format that Tomcat will recognise. You will need to import your certificate into a Java keystore and then reference this from tomcat's server.xml file.
Using Mod/JK is a better way to implement security if you are using a webserver.
2. Using the TomcatConnector to implement both HTTP and HTTPS.
When you refer to TomcatConnector, I assume you are referring to the Mod/JK connector.
The Mod/JK connector uses another protocol, called AJP to communicate between a webserver (IIS or Apache) and tomcat. AJP does not implement security.
IIS and Apache can be configured to accept connections on HTTP and HTTPS. In the case of HTTPS, the webserver would usually provide the encryption and load the required content from Tomcat via AJP.
In this case, you only need to enable AJP in Tomcat, and don't need to configure HTTPS at the application server level. Usually AJP and HTTP will be enabled on local network addresses, and external access will be via the webserver through the AJP connection.
Hope that makes sense.
Thanks,
Peter